/* We got access denied here. If we're already root,
or we didn't need to do a chown, or the fsp isn't
open with WRITE_OWNER access, just return. */
- if (get_current_uid(handle->conn) == 0 || !chown_needed ||
- !(fsp->access_mask & SEC_STD_WRITE_OWNER)) {
+ if (get_current_uid(handle->conn) == 0 || !chown_needed) {
return NT_STATUS_ACCESS_DENIED;
}
+ status = check_any_access_fsp(fsp, SEC_STD_WRITE_OWNER);
+ if (!NT_STATUS_IS_OK(status)) {
+ return status;
+ }
/*
* Only allow take-ownership, not give-ownership. That's the way Windows
}
if (get_current_uid(handle->conn) == 0 ||
- chown_needed == false ||
- !(fsp->access_mask & SEC_STD_WRITE_OWNER))
+ chown_needed == false)
{
return NT_STATUS_ACCESS_DENIED;
}
+ status = check_any_access_fsp(fsp, SEC_STD_WRITE_OWNER);
+ if (!NT_STATUS_IS_OK(status)) {
+ return status;
+ }
/*
* Only allow take-ownership, not give-ownership. That's the way Windows
return NT_STATUS_INVALID_PARAMETER;
}
- if (!(fsp->access_mask & SEC_DIR_LIST)) {
+ status = check_any_access_fsp(fsp, SEC_DIR_LIST);
+ if (!NT_STATUS_IS_OK(status)) {
DBG_INFO("dptr_create: directory %s "
"not open for LIST access\n",
fsp_str_dbg(fsp));
- return NT_STATUS_ACCESS_DENIED;
+ return status;
}
status = OpenDir_fsp(NULL, conn, fsp, wcard, attr, &dir_hnd);
if (!NT_STATUS_IS_OK(status)) {
* Windows Server 2008 & 2012 permit FSCTL_SET_SPARSE if any of the
* following access flags are granted.
*/
- if ((fsp->access_mask & (FILE_WRITE_DATA
- | FILE_WRITE_ATTRIBUTES
- | SEC_FILE_APPEND_DATA)) == 0) {
- DEBUG(9,("file_set_sparse: fname[%s] set[%u] "
- "access_mask[0x%08X] - access denied\n",
- smb_fname_str_dbg(fsp->fsp_name),
- sparse,
- fsp->access_mask));
- return NT_STATUS_ACCESS_DENIED;
+ status = check_any_access_fsp(fsp,
+ FILE_WRITE_DATA
+ | FILE_WRITE_ATTRIBUTES
+ | SEC_FILE_APPEND_DATA);
+ if (!NT_STATUS_IS_OK(status)) {
+ DBG_DEBUG("fname[%s] set[%u] "
+ "access_mask[0x%08X] - access denied\n",
+ smb_fname_str_dbg(fsp->fsp_name),
+ sparse,
+ fsp->access_mask);
+ return status;
}
if (fsp->fsp_flags.is_directory) {
NTSTATUS can_set_delete_on_close(files_struct *fsp, uint32_t dosmode)
{
+ NTSTATUS status;
/*
* Only allow delete on close for writable files.
*/
* intent.
*/
- if (!(fsp->access_mask & DELETE_ACCESS)) {
- DEBUG(10,("can_set_delete_on_close: file %s delete on "
+ status = check_any_access_fsp(fsp, DELETE_ACCESS);
+ if (!NT_STATUS_IS_OK(status)) {
+ DBG_DEBUG("file %s delete on "
"close flag set but delete access denied.\n",
- fsp_str_dbg(fsp)));
- return NT_STATUS_ACCESS_DENIED;
+ fsp_str_dbg(fsp));
+ return status;
}
/* Don't allow delete on close for non-empty directories. */
* Setting a changenotify needs READ/LIST access
* on the directory handle.
*/
- if (!(fsp->access_mask & SEC_DIR_LIST)) {
- return NT_STATUS_ACCESS_DENIED;
+ status = check_any_access_fsp(fsp, SEC_DIR_LIST);
+ if (!NT_STATUS_IS_OK(status)) {
+ return status;
}
if (fsp->notify != NULL) {
goto out;
}
- if (!(fsp->access_mask & FILE_WRITE_ATTRIBUTES)) {
- reply_nterror(req, NT_STATUS_ACCESS_DENIED);
+ status = check_any_access_fsp(fsp, FILE_WRITE_ATTRIBUTES);
+ if (!NT_STATUS_IS_OK(status)) {
+ reply_nterror(req, status);
goto out;
}
struct smb_request *smbreq;
bool is_compound = false;
bool is_last_in_compound = false;
+ NTSTATUS status;
req = tevent_req_create(mem_ctx, &state,
struct smbd_smb2_flush_state);
* they can be flushed.
*/
- if ((fsp->access_mask & flush_access) != 0) {
+ status = check_any_access_fsp(fsp, flush_access);
+ if (NT_STATUS_IS_OK(status)) {
allow_dir_flush = true;
}
case FSCC_FILE_ALL_INFORMATION:
case FSCC_FILE_NETWORK_OPEN_INFORMATION:
case FSCC_FILE_ATTRIBUTE_TAG_INFORMATION:
- if (!(fsp->access_mask & SEC_FILE_READ_ATTRIBUTE)) {
- tevent_req_nterror(req, NT_STATUS_ACCESS_DENIED);
+ status = check_any_access_fsp(fsp, SEC_FILE_READ_ATTRIBUTE);
+ if (tevent_req_nterror(req, status)) {
return tevent_req_post(req, ev);
}
break;
case FSCC_FILE_FULL_EA_INFORMATION:
- if (!(fsp->access_mask & SEC_FILE_READ_EA)) {
- tevent_req_nterror(req, NT_STATUS_ACCESS_DENIED);
+ status = check_any_access_fsp(fsp, SEC_FILE_READ_EA);
+ if (tevent_req_nterror(req, status)) {
return tevent_req_post(req, ev);
}
break;
/* Ensure we have the rights to do this. */
if (security_info_sent & SECINFO_OWNER) {
- if (!(fsp->access_mask & SEC_STD_WRITE_OWNER)) {
- return NT_STATUS_ACCESS_DENIED;
+ status = check_any_access_fsp(fsp, SEC_STD_WRITE_OWNER);
+ if (!NT_STATUS_IS_OK(status)) {
+ return status;
}
}
if (security_info_sent & SECINFO_GROUP) {
- if (!(fsp->access_mask & SEC_STD_WRITE_OWNER)) {
- return NT_STATUS_ACCESS_DENIED;
+ status = check_any_access_fsp(fsp, SEC_STD_WRITE_OWNER);
+ if (!NT_STATUS_IS_OK(status)) {
+ return status;
}
}
if (security_info_sent & SECINFO_DACL) {
- if (!(fsp->access_mask & SEC_STD_WRITE_DAC)) {
- return NT_STATUS_ACCESS_DENIED;
+ status = check_any_access_fsp(fsp, SEC_STD_WRITE_DAC);
+ if (!NT_STATUS_IS_OK(status)) {
+ return status;
}
/* Convert all the generic bits. */
if (psd->dacl) {
}
if (security_info_sent & SECINFO_SACL) {
- if (!(fsp->access_mask & SEC_FLAG_SYSTEM_SECURITY)) {
- return NT_STATUS_ACCESS_DENIED;
+ status = check_any_access_fsp(fsp, SEC_FLAG_SYSTEM_SECURITY);
+ if (!NT_STATUS_IS_OK(status)) {
+ return status;
}
/*
* Setting a SACL also requires WRITE_DAC.
* See the smbtorture3 SMB2-SACL test.
*/
- if (!(fsp->access_mask & SEC_STD_WRITE_DAC)) {
- return NT_STATUS_ACCESS_DENIED;
+ status = check_any_access_fsp(fsp, SEC_STD_WRITE_DAC);
+ if (!NT_STATUS_IS_OK(status)) {
+ return status;
}
/* Convert all the generic bits. */
if (psd->sacl) {
* Get the permissions to return.
*/
- if ((security_info_wanted & SECINFO_SACL) &&
- !(fsp->access_mask & SEC_FLAG_SYSTEM_SECURITY)) {
- DEBUG(10, ("Access to SACL denied.\n"));
- return NT_STATUS_ACCESS_DENIED;
+ if (security_info_wanted & SECINFO_SACL) {
+ status = check_any_access_fsp(fsp, SEC_FLAG_SYSTEM_SECURITY);
+ if (!NT_STATUS_IS_OK(status)) {
+ DBG_DEBUG("Access to SACL denied.\n");
+ return status;
+ }
}
- if ((security_info_wanted & (SECINFO_DACL|SECINFO_OWNER|SECINFO_GROUP)) &&
- !(fsp->access_mask & SEC_STD_READ_CONTROL)) {
- DEBUG(10, ("Access to DACL, OWNER, or GROUP denied.\n"));
- return NT_STATUS_ACCESS_DENIED;
+ if (security_info_wanted & (SECINFO_DACL|SECINFO_OWNER|SECINFO_GROUP)) {
+ status = check_any_access_fsp(fsp, SEC_STD_READ_CONTROL);
+ if (!NT_STATUS_IS_OK(status)) {
+ DBG_DEBUG("Access to DACL, OWNER, or GROUP denied.\n");
+ return status;
+ }
}
status = refuse_symlink_fsp(fsp);
static NTSTATUS can_rename(connection_struct *conn, files_struct *fsp,
uint16_t dirtype)
{
+ NTSTATUS status;
+
if (fsp->fsp_name->twrp != 0) {
/* Get the error right, this is what Windows returns. */
return NT_STATUS_NOT_SAME_DEVICE;
return NT_STATUS_OK;
}
- if (fsp->access_mask & (DELETE_ACCESS|FILE_WRITE_ATTRIBUTES)) {
- return NT_STATUS_OK;
+ status = check_any_access_fsp(fsp, DELETE_ACCESS | FILE_WRITE_ATTRIBUTES);
+ if (!NT_STATUS_IS_OK(status)) {
+ return status;
}
-
- return NT_STATUS_ACCESS_DENIED;
+ return NT_STATUS_OK;
}
/****************************************************************************
fsp_get_io_fd(fsp) != -1)
{
/* Handle based call. */
- if (!(fsp->access_mask & FILE_WRITE_DATA)) {
- return NT_STATUS_ACCESS_DENIED;
+ status = check_any_access_fsp(fsp, FILE_WRITE_DATA);
+ if (!NT_STATUS_IS_OK(status)) {
+ return status;
}
if (vfs_set_filelen(fsp, size) == -1) {
fsp_get_io_fd(fsp) != -1)
{
/* Open file handle. */
- if (!(fsp->access_mask & FILE_WRITE_DATA)) {
- return NT_STATUS_ACCESS_DENIED;
+ status = check_any_access_fsp(fsp, FILE_WRITE_DATA);
+ if (!NT_STATUS_IS_OK(status)) {
+ return status;
}
/* Only change if needed. */